This audit was conducted to identify MS Access applications and databases in use across NARA, assess the security controls for those applications and databases, and determine whether NARA is appropriately positioned to accommodate and maintain the applications and databases and security controls after the planned MS Access upgrade to a newer version.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
3 | Yes | $0 | $0 | ||
We recommend the Chief Information Officer, in conjunction with each program office, develop and implement a comprehensive, systematic process to determine when a MS Access application or database should be recognized as an IT system. | |||||
4 | Yes | $0 | $0 | ||
We recommend the Chief Information Officer, in conjunction with each program office: Determine all MS Access databases containing PII and ensure they are: (a) encrypted in storage and transmission; and (b) password-protected in accordance with NARA Directive 1608 and the Privacy Act. | |||||
5 | Yes | $0 | $0 | ||
Develop and implement a process, for future MS Access applications and databases created by program offices, including notification to and approval from the Office of Information Services for those that are mission-critical and/or contain PII or otherwise sensitive information. |